Non-financial risks (NFRs) have significantly increased in importance for financial firms in Europe (and globally), mainly due to regulatory scrutiny from the European Banking Authority (EBA) and Germany’s Federal Financial Supervisory Authority (BaFin) regarding the risk-bearing capability of financial institutions. However, there isn’t a defined set of risk types that is required to be included in the NFR taxonomy.
Financial institutions use varying approaches to defining and managing NFRs. This article sheds light on these discrepancies and recommends best practice approaches to creating an integrated non-financial risk framework.
LACK OF CONTROL OVER NFRs
Non-financial risks have gained attention in recent years; notably IT and reputational risks have increased alongside digital transformation, which has accelerated post the COVID-19 pandemic. In addition, MaRisk AT 2.2, requires financial institutions to incorporate ESG risks into their existing risk frameworks.
While some non-financial risks are well established within NFR risk frameworks, others have not been integrated fully, which affects their adequate monitoring and control. And while many financial institutions understand the severity of NFRs’ impact, including all risk types into their risk frameworks is challenging and the interlinking of different risk frameworks is largely new.
CHALLENGES WITH NFR INTEGRATION
As there is no standard set of risk types that is required by the regulator to be included in the NFR taxonomy, the first task for firms looking to create an integrated non-financial risk management framework is to define NFRs.
There are certain risk types that should always be considered due to market standards, such as operational risk, conduct risk, reputational risk as well as legal, ICT and ESG risks.
In some institutions, ESG risks combine several non-financial risk types and are often considered as drivers for the main financial and non-financial risk types.
However, depending on the risk strategy and business model, the definition of non-financial risk may vary, which results in different approaches to integrating ESG risks in the NFR framework.
The following chart shows a non-exhaustive overview of non-financial risk types, with those highlighted in bold considered urgent by the institutions we have engaged with, due to rising regulatory pressures and gaps in the existing NFR frameworks.
Additional challenges with integrating NFRs into the overall risk frameworks are linked to following factors:
NEXT STEPS
The centralization of NFR units requires an overarching risk management approach and harmonization of the processes involved.
As a first step, financial institutions must define the material types of risks that form distinct risk categories within the NFR framework. Further, ways of quantifying emerging risks must be defined, taking into account institutions’ risk appetite.
Once the definition of each risk type has been agreed on internally and it has been decided which risk types should be integrated as part of the NFR framework, financial institutions need to implement control measures to minimize these risks.
A property structured governance and reporting system are key to make sure risk tolerance levels are adhered to and internal procedures followed.
In most banks, the overarching NFR organization is anchored within Risk Controlling, Compliance or directly below the Management Board. Individual NFR functions (OpRisk, Compliance, Business Continuity Management, etc.) are normally located in various second line units.
Clearly defined roles, standardized processes, integrated reporting and structured communication channels between the NFR units alongside appropriate IT support and automated interfaces are prerequisites for success and increased efficiency.
CONCLUSION
Increased reputational and IT risks and the need to integrate ESG risks into their risk management frameworks are urging financial institutions to rethink existing structures and focus on building meaningful connections between risk types.
An integrated NFR risk framework has become a necessity for ensuring that non-financial risks are fully monitored and controlled, and for enhancing efficiency gains.
Key success factors include a well-defined set of risk types, clearly structured governance and a well-organized reporting and communication system.
Capco has a strong and rich record of supporting clients with their change processes, spanning a wide range of business and regulatory requirements, processes and data and IT implementations.
We have developed an approach for integrating various non-financial risk types into an integrated NFR risk management framework, supported by robust data and IT frameworks.
Contact us to learn more about how we can help your institution on its journey to change, giving you an edge over your competition.